How to stop 'login abuse', using TrafficScript

Lots of websites provide a protected area for authorized users to log in to. For instance, you might have a downloads section for products on your site where customers can access the software that they have bought.

There are many different ways to protect web pages with a user name and password. Their login and password could be quickly spread around. Once the details are common knowledge, anyone could login and access the site without paying.

Stingray and TrafficScript to the rescue!

Did you know that TrafficScript can be used to detect when a username and password are used from several different locations? You can then choose whether to disable the account or give the user a new password. All this can be done without replacing any of your current authentication systems on your website:

Looks like the login details for user 'ben99' have been leaked! How can we stop people leeching from this account?

For this example, we'll use a website where the entire site is protected with a PHP script that handles the authentication. It will check a user's password, and then set a USER cookie filled in with the user name. The details of the authentication scheme are not important. In this instance, all that matters is that TrafficScript can discover the user name of the account.

Writing the TrafficScript rule

First of all, TrafficScript needs to ignore any requests that aren't authenticated:

$user = http.getCookie( "USER" );
if( $user == "" ) break;

Next, we'll need to discover where the user is coming from. We'll use the IP address of their machine. However, they may also be connecting via a proxy, in which case we'll use the address supplied by the proxy.

TrafficScript needs to keep track of which IP addresses have been used for each account. We will have to store a list of the IP addresses used. TrafficScript provides persistent storage with the data.get() and data.set() functions.

That's it! If a single account on your site is accessed from more than four different locations, the account will be locked out, preventing abuse.

As this is powered by TrafficScript, further improvements can be made. We can extend the protection in many ways, without having to touch the code that runs your actual site. Remember, this can be deployed with any kind of authentication being used - TrafficScript just needs the user name.

A more advanced example

This has a few new improvements. First of all, the account limits are given a timeout, enabling someone to access the site from different locations (e.g. home and office), but will still catch abuse if the account is being used simultaneously in different locations. Secondly, any abuse is logged, so that an administrator can check up on leaked accounts and take appropriate action. Finally, to show that we can work with other login schemes, this example uses HTTP Basic Authentication to get the user name.

Please note: Certain product lines referenced on this website have been acquired by third party buyers and may no longer be supported, offered or sold by Brocade. These product lines include, but are not limited to, the Virtual Router (vRouter), Virtual Application Delivery Controller (vADC), the Virtual Evolved Packet Core (vEPC) and the Software Defined Networking (SDN) Controller. Any mention of these product lines, including associated services and support on this site, as it relates to Brocade should now be considered historical reference only. Ongoing use of such products may be subject to terms and conditions of the buyer.

Some, but not all the content on this site is provided, reviewed, approved or endorsed by Brocade but in any case, is provided solely as a convenience of our customers. All postings and use of the content on this site are subject to the BROCADE WEBSITE USE TERMS AND CONDITIONS. BROCADE ASSUMES NO LIABILITY WHATSOEVER, MAKES NO REPRESENTATION AND DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO THE CONTENT PROVIDED HEREIN, INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, CORRECTNESS, APPROPRIATENESS OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED. THIRD PARTIES USE THIS CONTENT AT THEIR OWN RISK. Content on this site may contain or be subject to specific guidelines or limitation on use. Third parties using this content agree to abide by any limitation or guidelines and to comply with the BROCADE WEBSITE USE TERMS AND CONDITIONS. Brocade may make changes to this content, to specifications, or product design or descriptions at any time, or may remove content at its sole discretion without notice.